Outing Spooks: “Doxing” in the Cyber-Hack Era

Revealing the identities of intelligence officials – a practice known as doxing – could become more common among nation-states, directed in particular at the clandestine cyber-spies who operate overseas. Doing so undermines an unspoken norm of confidentiality among even adversarial intelligence services – where they allow each other to operate intelligence networks in their country, within limits. It also opens individuals and their families up to violent acts by non-state actors such as terrorists and criminal groups as well as retribution by on-looking governments.

Spies have long relied on a level of anonymity or cover to operate effectively and safely in foreign lands under the watchful eyes of host-nation counterintelligence units and paranoid terrorist and criminal organizations. Should their identities become known, their country could face political blowback and they themselves could be confronted with prison or even violence.

For example, Philip Agee, a disgruntled former CIA officer, allegedly revealed the identity of over 1,000 CIA officers during the 1970s in as part of a undermine the ability of U.S. intelligence to operate clandestinely overseas. In the September 1974 issue of the magazine CounterSpy, Agee publically identified Richard Welch as the CIA station chief in Athens, leading to the publication of his home address and phone number. A year later, Welch was assassinated by a Greek terrorist group, prompting Congress to pass the Intelligence Identities Protection Act, criminalizing the intentional, unauthorized disclosure of information identifying a U.S. covert agent.

“Doxing is an active and important tactic for eliciting forced cooperation from assets and reducing the operating space for adversary intelligence services. Doxing can compel cooperation from those fearing further release of their information. It can lead to the recall of exposed and vulnerable officers that are hard to train and embed in the first place. We are all acutely vulnerable today to our most personal and professional information being made public. Equally, we are all at risk of our actual information being packaged with embellishment and false narrative.”

But cyber spies, primarily operating remotely by accessing sensitive networks through the global internet, have largely remained immune to such dangers – until now. Increasingly, the individuals behind state-sponsored hacking have personally begun taking the punishment intended for their government’s espionage practices. While the consequences of this could potentially be similar a human intelligence collector undercover being expelled, detained or worse, it does present a new challenge to cyber operators who have in the past been able to engage in espionage with relative immunity from their home countries.

John Sipher, Former Member of the CIA’s Senior Intelligence Service

“In some ways, this is just the 21st century version of a counterintelligence or security outing an intelligence officer in the newspaper. When one service catches an officer of another service in the act of facilitating espionage, they can do a number of things. They can arrest or intimidate the officer, they can kick the officer out of the country or can look to publicly shame or embarrass the officer and his/her country.”

The fear of retaliation against state-sponsored hackers, including those within the National Security Agency’s Tailored Access Operations (TAO), now known as Computer Network Operations (CNO), publically began following the U.S. decision to indict five Chinese People’s Liberation Army (PLA) hackers by name in May 2014 – the first time criminal charges were filed against known state actors for hacking. Just last week, the U.S. indictedthree more Chinese hackers with reported links to the Ministry of State Security.

In March 2016, the Justice Department revealed indictments for seven Iranian hackers working on behalf of the Islamic Revolutionary Guard Corps for allegedly launching distributed denial of service (DDoS) attacks against U.S. financial institutions in 2012 – likely in retaliation for the reported U.S.-Israeli Stuxnet worm deployed against Iran’s nuclear facility in Natanz.

Then in March, the U.S. charged two intelligence officers from the Russian Federal Security Service (FSB), along with two Russian cybercriminals, for their roles in accessing over 500 million Yahoo accounts beginning in January 2014. According to the Wall Street Journal, the Justice Department has also reportedly identified roughly six members of the Russian government who were involved in the breach into the Democratic National Committee’s (DNC) computer systems, and is expected to file charges against them next year.

Ultimately, these indictments have been pursued for deterrence against state-sponsored aggression in cyberspace with the full legal and diplomatic backing of the U.S. government. But Russian, Chinese and Iranian governments might seek to retaliate in-kind – which among authoritarian governments often rhymes, rather than duplicates, Western actions.

Steven Hall, Former Member of the CIA’s Senior Intelligence Service

“The Russians live and die by reciprocity. For them, that is one of the linchpins of how they deal with issues like these, and basic diplomatic and policy issues. Typically it has been that if we expel five of their guys, they are going to turn around and expel five of ours. They are always going to look for a reciprocal way to push back. But there are times were they do things that aren’t always clear to us why they consider it reciprocal. And this might be one of those things.”

China, for example, is well-suited to dox U.S. intelligence officials should Beijing choose to, after reportedly gleaning information on over 20 million U.S. government employees by breaching the systems of the Office of Personnel Management (OPM) in 2015.

The fears of retaliation against U.S. cyber spies came to fruition in April when a group calling itself the Shadow Brokers released a cache of alleged NSA hacking tools and details of the supposed 2013 hacking of the SWIFT financial transfer messaging system. The material exposed the names of several alleged NSA employees who personally hacked the EastNets SWIFT service bureau and targeted a number of accounts, including Kuwait’s Fund for Arab Economic Development and the Palestinian al Quds bank. The Shadow Brokers then reportedly exposed another former TAO hacker in public statements.

Many experts consider the Shadow Brokers to be a proxy outfit for Russian security services, providing an avenue of plausible deniability, similar to the moniker Guccifer 2.0 and as DCLeaks did during the Kremlin’s interference in the 2016 U.S. elections.

Daniel Hoffman, Former CIA Chief of Station

“Shadow Brokers are likely connected in some way to the government of Russia, but I would question whether it might be under the direct command and control of Russian intelligence.”

Steven Hall, Former Member of the CIA’s Senior Intelligence Service

“Up until 2010, I would have said it was highly unusual for the Russian intelligence services to go ahead and leak information specifically with regard to foreign intelligence officers. It was one of those vestigial gentlemen’s agreements that even with persona non grata action of expelling intelligence officials, releasing the names and confirmation of the status was something neither side really did. Since 2010 – and I am not exactly sure what the reasons are – they have been a bit more aggressive about releasing information. They put my name out there after I left Moscow. There is a general trend that Russia is more willing to leak information on American intelligence officers, which makes them potential targets of terrorist threats.”

It is unlikely that indictments of foreign state-sponsored hackers will result in their eventual incarceration given the protections provided to them by their home governments. Therefore, the more reasonable intentions of U.S. indictments are to name the alleged perpetrators publicly and make it difficult for them to travel or continue to effectively conduct their jobs in a clandestine fashion, particularly in countries with extradition treaties with the United States.

If the Shadow Brokers are in fact linked to the Kremlin, then the doxing of NSA cyber operators is designed to similarly impede current and former U.S. cyber operators from traveling and engaging in clandestine operations abroad – particularly should targeted countries, including allies, take legal action against the individuals for their past involvement in NSA operations. It is also designed to instill fear, as the information could potentially inspire violence against the individuals and their families.

Steven Bay, Former Contractor, NSA

“A major difference between the U.S. revealing FSB officials via indictment is that the U.S. approach is taken deliberately through a legal construct. It is, in essence, a diplomatic tool to attempt to decrease the alleged illegal or harmful activities of nation states against the United States. With Shadow Brokers, the intent is similar – in that it is trying to decrease the effectiveness of U.S. cyber and intelligence operations. However, it is done with no legal or diplomatic backing and often the people they are revealing appear to be lower-level individuals.”

Perhaps most importantly, the intention is part of a larger attempt to create a false moral equivalence between U.S. offensive cyber operations and those perpetrated by adversarial nation-states such as Russia, whose cyber operations leading up Western elections have grabbed the media spotlight.

Daniel Hoffman, Former CIA Chief of Station

“Russian intelligence would want to expose individuals who are operating under cover because it raises the cost of our operations and exposes offensive cyber operations. There is an ongoing debate in the U.S. about managing the risks of offensive cyber operations with the potential benefits. Russia would want to amplify and sharpen that dialogue. They are very nervous about our offensive hacking capabilities and this is one way to try to impact us, to try to diminish our capabilities. There is an internationally recognized norm about conducting espionage. The question is less about collecting intelligence but rather how it is weaponized against targets. Russia often mounts nefarious influence and other operations with their ill-gotten intelligence.”

John Sipher, Former Member of the CIA’s Senior Intelligence Service

“It seems to me that doxxing intelligence officials was to be expected. The U.S. and its adversaries have been trying to develop the unwritten rules for this new digital age. What is deterrence in the cyber age? Where are the boundaries as countries and individuals steal or attack each other? How far can we go before we trigger a retaliation? How do we send signals to make clear what is acceptable, and what not? If took time for the nuclear powers to develop rules of the road, and understand the distinctions between deterrence and defense. Spy services have also developed a series of unwritten rules of how they should interact. It will likely take some time – and some pain – before the participants better understand how they can play the game in the digital age.”

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.